Open Darwiner opened 3 months ago
@Darwiner I think reviewdog on image scanning is not suitable for GitHub PR. As you said, in GitHub PR, we (and the reviewer) can not comment on other than changed lines. So, we can add comments without any changed lines, but they don't need to be reviewed.
Has anyone been able to get any useful output from combining trivy + reviewdog for container image scanning?
I would have hoped to keep using https://github.com/reviewdog/action-trivy for both
fs
scans (which works great) as much asimage
scans (and not have to also use https://github.com/reviewdog/action-trivy forimage
scans), but I'm not finding any method to get any useful output in any way.Considering the output that trivy comes up for container image scans, which doesn't reference to any file nor location that reviewdog sees... I suppose that might be why there's nothing to reference to and the result is just nothing (even with setting filter mode to
nofilter
)?At best, I could add a trivy flag to also output to a file, and have that file be included as a PR comment... But then comes the fact that the file would be in sarif format. Not very useful from a human-readable standpoint. :)